From 62edf97e7440b240f633d4e3db7bbdb2e9eaf1cd Mon Sep 17 00:00:00 2001 From: Stefan Berthold Date: Thu, 1 Feb 2024 09:41:53 +0000 Subject: [PATCH] test: team settings and propertied cannot be changeds by foreign team owner --- integration/test/Test/TeamSettings.hs | 32 ++++++++++++++++++--------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/integration/test/Test/TeamSettings.hs b/integration/test/Test/TeamSettings.hs index e820e57e256..b99ca05cd28 100644 --- a/integration/test/Test/TeamSettings.hs +++ b/integration/test/Test/TeamSettings.hs @@ -17,7 +17,7 @@ -- You should have received a copy of the GNU Affero General Public License along -- with this program. If not, see . -module Test.TeamSettings where +module Test.TeamSettings ( testTeamSettingsUpdate, testTeamPropertiesUpdate ) where import API.Galley import SetupHelpers @@ -25,28 +25,38 @@ import Testlib.Prelude testTeamSettingsUpdate :: HasCallStack => App () testTeamSettingsUpdate = do - (owner, tid, [mem]) <- createTeam OwnDomain 2 - partner <- createTeamMemberWithRole owner tid "partner" + (ownerA, tidA, [mem]) <- createTeam OwnDomain 2 + partner <- createTeamMemberWithRole ownerA tidA "partner" - bindResponse (putAppLockSettings tid owner def) $ \resp -> do + bindResponse (putAppLockSettings tidA ownerA def) $ \resp -> do resp.status `shouldMatchInt` 200 - bindResponse (putAppLockSettings tid mem def) $ \resp -> do + bindResponse (putAppLockSettings tidA mem def) $ \resp -> do resp.status `shouldMatchInt` 403 resp.json %. "label" `shouldMatch` "operation-denied" - bindResponse (putAppLockSettings tid partner def) $ \resp -> do + bindResponse (putAppLockSettings tidA partner def) $ \resp -> do + resp.status `shouldMatchInt` 403 + resp.json %. "label" `shouldMatch` "operation-denied" + + (ownerB, _tidB, []) <- createTeam OwnDomain 1 + bindResponse (putAppLockSettings tidA ownerB def) $ \resp -> do resp.status `shouldMatchInt` 403 resp.json %. "label" `shouldMatch` "operation-denied" testTeamPropertiesUpdate :: HasCallStack => App () testTeamPropertiesUpdate = do - (owner, tid, [mem]) <- createTeam OwnDomain 2 - partner <- createTeamMemberWithRole owner tid "partner" + (ownerA, tidA, [mem]) <- createTeam OwnDomain 2 + partner <- createTeamMemberWithRole ownerA tidA "partner" - bindResponse (putTeamProperties tid owner def) $ \resp -> do + bindResponse (putTeamProperties tidA ownerA def) $ \resp -> do resp.status `shouldMatchInt` 200 - bindResponse (putTeamProperties tid mem def) $ \resp -> do + bindResponse (putTeamProperties tidA mem def) $ \resp -> do resp.status `shouldMatchInt` 403 resp.json %. "label" `shouldMatch` "operation-denied" - bindResponse (putTeamProperties tid partner def) $ \resp -> do + bindResponse (putTeamProperties tidA partner def) $ \resp -> do + resp.status `shouldMatchInt` 403 + resp.json %. "label" `shouldMatch` "operation-denied" + + (ownerB, _tidB, []) <- createTeam OwnDomain 1 + bindResponse (putTeamProperties tidA ownerB def) $ \resp -> do resp.status `shouldMatchInt` 403 resp.json %. "label" `shouldMatch` "operation-denied"